Search Results (16)

Electronic Medical Records (EMRs) are mandatory in Indonesia following the Ministry of Health regulation, which raises significant challenges in data security and patient-centric access control. Current implementations rely on centralized healthcare systems or third-party vendors, creating risks of unauthorized access, data leakage, and uncertain data integrity. To address these issues, this study proposes DecMed, a decentralized EMR management framework built on IOTA Distributed Ledger Technology (DLT). DecMed integrates Capability-Based Access Control (CapBAC), Proxy Re-Encryption (PRE), and the InterPlanetary File System (IPFS) to enforce patient ownership of medical data. Patients actively grant or revoke access, define access duration, and selectively share data with healthcare personnel. The system is implemented using smart contracts in the Move programming language on the IOTA ledger, while encrypted clinical data is stored on IPFS. Evaluation through unit testing of various unauthorized access scenarios demonstrates that DecMed effectively enforces fine-grained access rules, preserves data confidentiality and integrity, and ensures compliance with national healthcare requirements. Full article

A sharing framework based on Zero-Knowledge Proof (ZKP) and Proxy Re-encryption (PRE) technologies offers a promising solution for sharing Student Electronic Academic Records (SEARs). As core credentials in the education sector, student records are characterized by strong identity binding, the need for long-term retention, frequent cross-institutional verification, and sensitive information. Compared with electronic health records and government archives, they face more complex security, privacy protection, and storage scalability challenges during sharing. These records not only contain sensitive data such as personal identity and academic performance but also serve as crucial evidence in key scenarios such as further education, employment, and professional title evaluation. Leakage or tampering could have irreversible impacts on a student’s career development. Furthermore, traditional blockchain technology faces storage capacity limitations when storing massive academic records, and existing general electronic record sharing solutions struggle to meet the high-frequency verification demands of educational authorities, universities, and employers for academic data. This study proposes a dedicated sharing framework for students’ electronic academic records, leveraging PRE technology and the distributed ledger characteristics of blockchain to ensure transparency and immutability during sharing. By integrating the InterPlanetary File System (IPFS) with Ethereum Smart Contract (SC), it addresses blockchain storage bottlenecks, enabling secure storage and efficient sharing of academic records. Relying on optimized ZKP technology, it supports verifying the authenticity and integrity of records without revealing sensitive content. Furthermore, the introduction of gate circuit merging, constant folding techniques, Field-Programmable Gate Array (FPGA) hardware acceleration, and the efficient Bulletproofs algorithm alleviates the high computational complexity of ZKP, significantly reducing proof generation time. The experimental results demonstrate that the framework, while ensuring strong privacy protection, can meet the cross-scenario sharing needs of student records and significantly improve sharing efficiency and security. Therefore, this method exhibits superior security and performance in privacy-preserving scenarios. This framework can be applied to scenarios such as cross-institutional academic certification, employer background checks, and long-term management of academic records by educational authorities, providing secure and efficient technical support for the sharing of electronic academic credentials in the digital education ecosystem. Full article

As smart education evolves, there is an increasing need for the cloud-centric management and sharing of student exercise physiological data gathered through wearable devices in the physical education domain. However, challenges arise in achieving authentication for data sources, ensuring the security of sensitive data, and implementing efficient dynamic access control. Traditional cryptographic schemes face limitations in resisting quantum attacks, authenticating data sources, protecting identity privacy, handling dynamic permission changes, and computational efficiency. To tackle these challenges, we put forward a lattice-based Online/Offline Identity-Based Matchmaking Proxy Re-Encryption (OO-IB-MPRE) scheme. The scheme offers post-quantum security assurances grounded in lattice cryptography (under the LWE/ISIS assumptions); incorporates Identity-Based matchmaking encryption (IB-ME) to realize bidirectional identity matching, which not only enables identity authentication for data sources but also safeguards the sender’s identity privacy from exposure to other entities; leverages Proxy Re-Encryption (PRE) to support dynamic management of access control; and combines online/offline encryption to adapt to resource constrained sensors. The security of the OO-IB-MPRE scheme is verified under standard lattice assumptions to meet the security requirements of semi-selective privacy and authenticity. Performance analysis and experimental validation demonstrate that in comparison to existing lattice-based PRE schemes, the devised scheme shows notable advantages in both space and computational overhead. Therefore, the proposed OO-IB-MPRE offers a secure, efficient, and scalable solution for the sensitive health data in smart physical education. Full article

With the rapid development of the Internet of Medical Things (IoMT), the data generated and collected by various sensors and medical devices are gradually increasing. How to realize flexible, efficient, and secure data sharing while ensuring data confidentiality and patient privacy has become a critical research challenge. The traditional Public Key Infrastructure (PKI) must deal with the complicated certificate management problem. An identity-based cryptosystem has the inherent key-escrow risk. These concerns make them unsuitable for resource-constrained and dynamic IoMT environments. To address it, this paper introduces a cloud data sharing protocol for IoMT using a Certificateless Proxy Re-encryption (CL-PRE) scheme that integrates an efficient access-list-based user revocation mechanism. In our system, a patient’s data can be encrypted and securely stored in a semi-trusted third party like the cloud server. When the patient wants to grant the access to designated users, e.g., doctors or medical institutions, a delegated proxy server will re-encrypt the ciphertext to a new one, which is decryptable by the designators. The proxy server also learns nothing during the re-encryption process, so as to maintain the end-to-end confidentiality. As for the security, the authors formally prove that the proposed CL-PRE mechanism for IoMT achieves Type-I and Type-II indistinguishability against adaptive chosen-identity and chosen-ciphertext attacks (IND-PrID-CCA) under the Decisional Bilinear Diffie–Hellman (DBDH) assumption. Moreover, the functional and computational comparisons with previous studies reveal the qualitative advantage of simultaneously achieving certificateless properties and user revocation, and the quantitative advantage of an optimized encryption cost (requiring only one bilinear pairing and two scalar multiplications), making it a theoretically efficient solution for resource-constrained IoMT devices. Full article

In recent years, remote data management environments have been increasingly deployed across diverse infrastructures, accompanied by a rapid surge in the demand for sharing and collaborative processing of sensitive data. Consequently, ensuring data security and privacy protection remains a fundamental challenge. A representative example of such an environment is the cloud, where efficient mechanisms for secure data sharing and access control are essential. In domains such as finance, healthcare, and public administration, where large volumes of sensitive information are processed by multiple participants, traditional access-control techniques often fail to satisfy the stringent security requirements. To address these limitations, Key-Aggregate Proxy Re-Encryption (KA-PRE) has emerged as a promising cryptographic primitive that simultaneously provides efficient key management and flexible authorization. However, existing KA-PRE constructions still suffer from several inherent security weaknesses, including aggregate-key leakage, ciphertext insertion and regeneration attacks, metadata exposure, and the lack of participant anonymity within the data-management framework. To overcome these limitations, this study systematically analyzes potential attack models in the KA-PRE setting and introduces a novel KA-PRE scheme designed to mitigate the identified vulnerabilities. Furthermore, through theoretical comparison with existing approaches and an evaluation of computational efficiency, the proposed scheme is shown to enhance security while maintaining practical performance and scalability. Full article

Cloud-assisted Internet of Things (IoT) has become the core infrastructure of smart society since it solves the computational power, storage, and collaboration bottlenecks of traditional IoT through resource decoupling and capability complementarity. The development of a graph database and cloud-assisted IoT promotes the research of privacy preserving graph computation. We propose a secure graph intersection scheme that supports multi-user intersection queries in cloud-assisted IoT in this article. The existing work on graph encryption for intersection queries is designed for a single user, which will bring high computational and communication costs for data owners, or cause the risk of secret key leaking if directly applied to multi-user scenarios. To solve these problems, we employ the proxy re-encryption (PRE) that transforms the encrypted graph data with a re-encryption key to enable the graph intersection results to be decrypted by an authorized IoT user using their own private key, while data owners only encrypt their graph data on IoT devices once. In our scheme, different IoT users can query for the intersection of graphs flexibly, while data owners do not need to perform encryption operations every time an IoT user makes a query. Theoretical analysis and simulation results demonstrate that the graph intersection scheme in this paper is secure and practical. Full article

Proxy re-encryption (PRE) is a cryptographic primitive that extends public key encryption by allowing ciphertexts to be re-encrypted from one user to another without revealing information about the underlying plaintext. This makes it an essential privacy-enhancing technology, as only the intended recipient is able to decrypt sensitive personal information. Previous PRE schemes were commonly based on symmetric bilinear pairings. However, these have been found to be slower and less secure than the more modern asymmetric pairings. To address this, we propose two new PRE scheme variants, based on the unidirectional symmetric pairing-based scheme by Weng et al. and adapted to utilize asymmetric pairings. We employ a known automated black-box reduction technique to transform the base scheme to the asymmetric setting, identify its shortcomings, and subsequently present an alternative manual transformation that fixes these flaws. The adapted schemes retain the properties of the base scheme and are therefore CCA-secure in the adaptive corruption model without the use of random oracles, while being faster, practical, and more secure overall than the base scheme. Full article

Existing attribute-based proxy re-encryption schemes suffer from issues like complex access policies, large ciphertext storage space consumption, and an excessive authority of the authorization center, leading to weak security and controllability of data sharing in cloud storage. This study proposes a Weighted Attribute Authority Multi-Authority Proxy Re-Encryption (WAMA-PRE) scheme that introduces attribute weights to elevate the expression of access policies from binary to multi-valued, simplifying policies and reducing ciphertext storage space. Simultaneously, the multiple attribute authorities and the authorization center construct a joint key, reducing reliance on a single authorization center. The proposed distributed attribute authority network enhances the anti-attack capability of cloud storage. Experimental results show that introducing attribute weights can reduce ciphertext storage space by 50%, proxy re-encryption saves 63% time compared to repeated encryption, and the joint key construction time is only 1% of the benchmark scheme. Security analysis proves that WAMA-PRE achieves CPA security under the decisional q-parallel BDHE assumption in the random oracle model. This study provides an effective solution for secure data sharing in cloud storage. Full article

The popularity of secure cloud data sharing is on the rise, but it also comes with significant concerns about privacy violations and data tampering. While existing Proxy Re-Encryption (PRE) schemes effectively protect data in the cloud, challenges persist with certificate administration and key escrow. Moreover, the increasing number of users and prevalence of lightweight devices demand functional and cost-effective solutions. To address these issues, this paper presents a novel Pairing-free Certificate-Based Proxy Re-Encryption Plus scheme that leverages elliptic curve groups for improved effectiveness and performance. This scheme successfully resolves challenges related to certificate management and key escrow in traditional PRE schemes, while also introducing non-transferable and message-level fine-grained control characteristics. These enhancements bolster data security during sharing and minimize the risk of malicious information leakage. Our proposed scheme’s correctness, security, and effectiveness are rigorously verified and analyzed. The results demonstrate that the scheme achieves the chosen ciphertext security in the random oracle model. Compared to current PRE schemes, our approach offers greater advantages, lower computational overhead, and enhanced suitability for practical cloud computing applications. Full article

To address the quantum attacks on number theory-based ciphertext policy attribute-based encryption (CP-ABE), and to avoid private key leakage problems by relying on a trustworthy central authority, we propose a lattice-inspired CP-ABE scheme for data access and sharing based on blockchain in this paper. Firstly, a CP-ABE-based algorithm using learning with errors (LWE) assumption is constructed, which is selective security under linear independence restriction in the random oracle model. Secondly, the blockchain nodes can act as a distributed key management server to offer control over master keys used to generate private keys for different data users that reflect their attributes through launching transactions on the blockchain system. Finally, we develop smart contracts for proving the correctness of proxy re-encryption (PRE) and provide auditability for the whole data-sharing process. Compared with the traditional CP-ABE algorithm, the post-quantum CP-ABE algorithm can significantly improve the computation speed according to the result of the functional and experimental analysis. Moreover, the proposed blockchain-based CP-ABE scheme provides not only multi-cryptography collaboration to enhance the security of data access and sharing but also reduces average transaction response time and throughput. Full article

The privacy and security of patients’ health records have been an ongoing issue, and researchers are in a race against technology to design a system that can help stop the compromising of patient data. Many researchers have proposed solutions; however, most solutions have not incorporated potential parameters that can ensure private and secure personal health records management, which is the focus of this study. To design and develop a solution, this research thoroughly investigated existing solutions and identified potential key contexts. These include IOTA Tangle, Distributed Ledger Technology (DLT), IPFS protocols, Application Programming Interface (API), Proxy Re-encryption (PRE), and access control, which are analysed and integrated to secure patient medical records, and Internet of Things (IoT) medical devices, to develop a patient-based access management system that gives patients full control of their health records. This research developed four prototype applications to demonstrate the proposed solution: the web appointment application, the patient application, the doctor application, and the remote medical IoT device application. The results indicate that the proposed framework can improve healthcare services by providing immutable, secure, scalable, trusted, self-managed, and traceable patient health records while giving patients full control of their own medical records. Full article

In e-health systems, patients encrypt their personal health data for privacy purposes and upload them to the cloud. There exists a need for sharing patient health data with doctors for healing purposes in one’s own preferred order. To achieve this fine-gained access control to delegation paths, some researchers have designed a new proxy re-encryption (PRE) scheme called autonomous path proxy re-encryption (AP-PRE), where the delegator can control the whole delegation path in a multi-hop delegation process. In this paper, we introduce a certificateless autonomous path proxy re-encryption (CLAP-PRE) using multilinear maps, which holds both the properties (i.e., certificateless, autonomous path) of certificateless encryption and autonomous path proxy re-encryption. In the proposed scheme, (a) each user has two public keys (user’s identity and traditional public key) with corresponding private keys, and (b) each ciphertext is first re-encrypted from a public key encryption (PKE) scheme to an identity-based encryption (IBE) scheme and then transformed in the IBE scheme. Our scheme is an IND-CPA secure CLAP-PRE scheme under the k-multilinear decisional Diffie–Hellman (k-MDDH) assumption in the random oracle model. Full article

Storage is a promising application for permission-less blockchains. Before blockchain, cloud storage was hosted by a trusted service provider. The centralized system controls the permission of the data access. In web3, users own their data. Data must be encrypted in a permission-less decentralized storage network, and the permission control should be pure cryptographic. Proxy re-encryption (PRE) is ideal for cryptographic access control, which allows a proxy to transfer Alice’s ciphertext to Bob with Alice’s authorization. The encrypted data are stored in several copies for redundancy in a permission-less decentralized storage network. The redundancy suffers from the outsourcing attack. The malicious resource provider may fetch the content from others and respond to the verifiers. This harms data integrity security. Thus, proof-of-replication (PoRep) must be applied to convince the user that the storage provider is using dedicated storage. PoRep is an expensive operation that encodes the original content into a replication. Existing PRE schemes cannot satisfy PoRep, as the cryptographic permission granting generates an extra ciphertext. A new ciphertext would result in several expensive replication operations. We searched most of the PRE schemes for the combination of the cryptographic methods to avoid transforming the ciphertext. Therefore, we propose a new PRE scheme. The proposed scheme does not require the proxy to transfer the ciphertext into a new one. It reduces the computation and operation time when allowing a new user to access a file. Furthermore, the PRE scheme is CCA (chosen-ciphertext attack) security and only needs one key pair. Full article

The need to accelerate the innovation and application of the supply chain has been suggested by the State Council of China. To solve the problem of data isolation caused by privacy protection in the power material supply chain, a data traceability and sharing mechanism based on blockchain is designed in this paper. Firstly, the existing problems of the power material supply chain are introduced, and the applicability of blockchain in the power material supply chain in view of these problems is analyzed. Secondly, blockchain-based power material supply deployment and application structures are proposed. Then, considering the problem of data isolation in the material inspection and distribution links between suppliers and the material company, a data traceability mechanism based on blockchain is designed to provide evidence for the data authenticity and a proxy re-encryption method is used to ensure security and privacy in data sharing. Finally, the effectiveness of the proposed data traceability and sharing mechanism is verified using the Hyperledger Fabric platform for power material case studies. The simulation results show that the combination of proxy re-encryption and blockchain technology in the power material supply chain can confirm the validity of the historical data and keep the private data of the material company confidential, so as to realize the traceability and sharing of the power material supply data. Full article

Population aging is currently a tough problem of many countries. How to utilize modern technologies (including both information and medical technologies) to improve the service quality of health information is an important issue. Personal Health Record (PHR) could be regarded as a kind of health information records of individuals. A ciphertext policy attribute-based encryption (CP-ABE) is a cryptographic primitive for fine-grained access control of outsourced data in clouds. In order to enable patients to effectively store his medical records and PHR data in medical clouds, we propose an improved multi-user CP-ABE scheme with the functionality of keyword search which enables data users to seek for specific ciphertext in the cloud server by using a specific keyword. Additionally, we adopt an independent proxy server in the proposed system architecture to isolate the communication between clients and the cloud server, so as to prevent cloud servers from suffering direct attacks and also reduce the computational loading of cloud servers. Compared with the previous approach, the proposed encryption algorithm takes less running time and the ciphertext length is also relatively short. Moreover, the procedures of re-encryption and pre-decryption only require one exponentiation computation, respectively. Full article